Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

The U.S. government is steadily increasing its adoption of the DMARC email security protocol, according to new research from security firm Agari, published on Jan. 2.

Domain-based Message Authentication, Reporting and Conformance, or DMARC, is a protocol that helps protect the integrity and authenticity of email. DMARC makes use of the Sender Policy Framework (SPF) as well as Domain Keys Identified Email (DKIM) to help verify email authenticity. One of the goals of DMARC is to protect domains to mitigate the risks of attackers using them as a spamming address.

The government’s increased use of DMARC is part of an effort by federal agencies to comply with a Department of Homeland Security (DHS) directive. The DHS issued the 18-01 binding operational directive on Oct. 16, in a bid to enhance email and web security in U.S. federal government agencies. The directive has its first milestone deadline on Jan. 15, which requires all second-level agency domains to have valid SPF/DMARC records.

"When an email is received that doesn't pass an agency’s posted SPF/DKIM rules, DMARC … tells a recipient what the domain owner would like done with the message," the DHS BOD 18-01 states. "Setting a DMARC policy of 'reject' provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery."

Related Reading

In addition, the DHS BOD-1801 states that DMARC reports provide a mechanism for an agency to be made aware of the source of an apparent forgery, information that they wouldn't normally receive otherwise. Agari reported that on Nov. 18, DMARC adoption within the U.S. government was at 34 percent of federal agencies. By Dec. 18, that number had jumped to 47 percent.

"It's very encouraging to see this rapid adoption among so many agencies and departments," Patrick Peterson, founder and executive chairman of Agari, told eWEEK. "Adoption has also been aided by agencies like Health and Human Services, who have been vocal in sharing their success story as a DMARC pioneer."

The increase in DMARC adoption within the federal government is a trend that the Online Trust Alliance (OTA) also noticed in research released on Nov. 9. Jeff Wilbur, director of the Online Trust Alliance, told eWEEK that the OTA reported nearly a doubling of DMARC records between May and the end of October for the top 100 federal government domains.

DMARC Adoption

DMARC can benefit all sectors, not just the government, in improving email security, though the government is currently a leader in terms of deployment. Peterson noted that government adoption of DMARC has now surpassed Fortune 500 adoption.

"Federal adoption of DMARC has reached 47 percent, while Fortune 500 adoption remains at only 33 percent," he said.

There are multiple challenges for organizations looking to deploy DMARC. To fully implement DMARC, organizations must first do an inventory of their domains and ensure that email authentication (SPF and DKIM) is properly implemented on those domains, according to Wilbur.

Wilbur explained that organizations can implement a DMARC record with a policy of "none" and request feedback reports showing them what receivers (e.g., mailbox providers) see in terms of email and authentication coming from those domains. He added that there are several companies that can assist in this process by processing the data and providing summary reports and action plans to solidify the email authentication in preparation for moving to a DMARC policy of quarantine (i.e., put in a junk folder) or reject.

"The main challenge is ongoing attention and discipline in managing the domains and their associated email authentication, and it therefore must be made a priority if it is to be successful," Wilbur said. "Based on the DHS directive, the U.S. government appears to be raising the priority level."

In Peterson's view, the biggest challenge when it comes to DMARC adoption is one of leadership.

"IT and security teams are busy; no one is looking for an extra project," he said. "Leaders must first choose to take back their online identity in email from phishers and scammers."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.